Dirty Frag: the determinist vulnerability of Linux that allows you to get root with a single command

Details of a new local vulnerability of privilege escalation in the nicknamed Linux kernel have emerged Dirty Frag, which combines two writing failures in the cache of pages to obtain root privileges without the need for career conditions. According to research published by Hyunwoo Kim, the exploitation links a vulnerability in the IPSec subsystem (xfrm-ESP Page-Cache Write) with another in RxRPC (RxRPC Page-Cache Write), and its nature is determinist, not dependent on time windows, which significantly increases the success rate and risk seriousness for unpatched systems.

The problem is particularly relevant because it touches reception paths in which the kernel disfigures directly on pages that are actually referred to by user processes (for example, pages of pipe attached by spin / sendfile or MSG _ SPLICE _ PAGES), which can expose or corrupt flat text that an unprivileged process still maintains. The combination covers complementary scenarios: in distributions that allow the creation of user namespaces the IPSec attack can be executed, while in Ubuntu - where namespaces creation is blocked by AppArmor - the default-loaded rxrpc module makes the other variant possible. This means that many popular distributions are exposed(mentioned among them Ubuntu 24.04.4, RHEL 10.1, Fedora 44, CentOS Stream 10, AlmaLinux 10 and openSUSE Tumbleweed), and there is already a functional concept test that allows you to get root with a single command, which increases the urgency.

From the historical point of view, the vectors involved remember previous failures of the Dirty Pipe and Copy Fail family, but Dirty Frag does not depend on the algif _ aead module or of their known mitigation, so that previously "parcheed" systems against Copy Fail can remain vulnerable. In addition, the roots of the problem go back to commitments of the 2017 and 2023 kernel, which highlights how old changes can enable new and dangerous chains years later.

While kernel maintainers work on patches, temporary mitigation measures are critical to reduce the attack surface on servers and workstations exposed to local users or multiuser environments. Among the most effective and low-risk actions is avoid loading the modules concerned(es4, es6 and rxrpc) until an official patch arrives; this can be achieved by creating rules in / etc / modprobe.d / that prevent the automatic loading of the module or redirect its installation to / bin / false, and by verifying the absence with lsmod. Another complementary mitigation is to disable the cloning of namespaces by unprivileged users (sysctl kernel.unprivileged _ userns _ clone = 0), and in Ubuntu environments to check the policy of AppArmor because in many cases it prevents the first vector (xfrm) by blocking the creation of user namespaces. For more details on how and where to manage the load of modules see the official documentation of the kernel in Kernel.org - module management and the AppArmor documentation that Canonical maintains in Ubuntu - AppArmor.

It is important to plan these mitigation with an operational criterion: blocking modules linked to IPSec or RxRPC can have a functional impact on services that depend on IPSec / ESP or the RxRPC core, so the effect on applications and connectivity should be evaluated before applying production changes. Also, maintain access controls to local accounts, restrict the possibility of raising and running binary by unreliable users, audit changes to SUID / SGID files and monitor operating signals (creating shells with privileges, unusual load of modules, activity of unknown processes).

Finally, when the official patches are available, apply them with priority and verify that the updated kernel effectively corrects the references involved. In the long term, this incident again highlights the need to minimize the attack surface in exposed hosts: disable unnecessary modules, apply less privileged principles for local users and keep base images as simple as possible reduces the likelihood that chains like Dirty Frag will be exploitable in their environment. To follow the state of vulnerabilities and updates trust centralized sources such as the NVD and the official kernel tree: NVD - National Vulnerability Database and Kernel.org.